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I. INTRODUCTION 


In Regulated Environments (RE), which have impacts 
on the society, regulatory agencies standards usually 
require adherence to standards to demonstrate that a 


product is safe and reliable [1]. 


Standards published by committees, 


technical entities, or regulatory agencies influence product 
development through risk-based software process and 
product guidelines. Typically, each domain of knowledge 
has its own standard, which has to be customized based on 
knowledge acquisition from domain experts. Despite the 
existence of several techniques and methods of knowledge 
acquisition, mostly based on interviews and analysis, there 
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Abstract— In regulated environments, which have impacts on the society, 
standards are adopted to determine rules to be followed, since the society 
expects to receive safe and reliable products and services. Regulatory 
agencies usually require adherence to requirements established in norms 
and standards so the product can be approved. In this context, space 
programs Quality Assurance standards are applicable to satellite projects 
with a wide responsibility range, from experimental small satellites to 
manned spaceships. Applying the full contents of these standards may be 
unfeasible to small missions with low responsibility, considering the cost 
and schedule constraints inherent to this type of project. Therefore, a 
customization of the requirements must be conducted in a thoughtful and 
disciplined manner, considering the project characteristics. The tailoring 
process presented in this work includes the analysis of the risk to the 
mission due to the reduction of the set of requirements. Each requirement 
was evaluated in view of its maintenance, modification, or elimination. 
This paper presents a process of tailoring mission-specific requirements, 
using a mission risk rating and the risk analysis tool FMECA. The result 
was a structured process for tailoring requirements, which provided a 
subset of Quality Assurance requirements applicable to small satellite 
projects. 


is still the need for methods that provide systematic 
support for customization of requirements [2, 3]. 


For space projects, the ECSS (European Cooperation 
for Space Standardization), a regulatory body for European 
space companies, including the ESA (European Space 
Agency), has a series of standards containing requirements 
used in the development of high responsibility and high- 
cost satellites. The use of these standards, however, is 
intrinsically associated with the characteristics of each 
project, such as type of product, role of the product in the 
system, size of the system and level of risk. According to 
ECSS System - Description, implementation, and general 
requirements [4] 
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Literature reports that low responsibility satellite 
projects do not necessary fulfill the whole set of 
requirements from the standards, due to cost and time 
constraints. Tailoring these standards may have several 
drivers, such as dependability and safety aspects, 
development constraints, product quality and business 
objectives [5]. 


The low-responsibility satellites, notably the small 
satellites, whose denomination in this work applies to 
those with a mass up to 180 kg, belong to the class of 
satellites whose share is increasingly representative in the 
artifacts launched into space accordingly to NASA State- 
of-the-art Spacecraft Technology Report [6]. Therefore, 
there is an increasing number of organizations that need to 
demonstrate adherence with standards-based regulations, 
and the lack of appropriate processes may have negative 
consequences such as missing important activities or 
having limited ways to demonstrate their quality and be 
recognized in their domain [7]. 


Since 2013, ESA has released documents related to 
CubeSats projects, associated with its — In-Orbit 
Demonstration (IOD) program, highlighting: 


* Review Objectives for ESA In-Orbit Demonstration 
(IOD) CubeSat Projects [8]; 


* Tailored ECSS Engineering Standards for In-Orbit 
Demonstration CubeSat Projects [9]; 


* Product and Quality Assurance Requirements for In- 
Orbit Demonstration CubeSat Project [10]. 


Although the last document presents tailored 
requirements for the Product and Quality Assurance 
disciplines, the tailoring process and the risks associated 
with the modification are not described. 


In 2020, the standard ECSS System Tailoring DRAFT 
1 [11] was published, still in a preliminary version, 
presenting the process for tailoring ECSS standards to 
CubeSats is, considering economic characteristics and 
design techniques. According to this document, after 
identifying the main characteristics, the project must be 
analyzed to identify cost, schedule, main technical 
characteristics, as well as critical aspects and specific 
constraints. 


Among these characteristics, the main strategic, 
organizational, economic or technical characteristics to be 
considered in a project are: 


* Mission objectives (e.g., scientific, commercial, 
institutional); 


* Product type; 
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* Mission characteristics (e.g., orbit, lifetime, 
availability); 


* Restrictions on the environment in which the project 
is inserted (e.g., external interfaces, external regulations, 
purchases); 


* Expected cost until final assembly; 
* Main impact factors on the schedule; 


* Level of commitment (e.g., partnership, supplier) or 
type of commercial arrangement (e.g. fixed price, 
reimbursement of expenses); 


* Maturity of the project or technology (e.g., recurrent 
development, level of technical readiness); 


* Technical complexity of the product; 
* Organizational or contractual complexity; 
* Supplier maturity. 


This standard also proposes a series of steps for 
tailoring the ECSS requirements, based on the risks 
associated with the project. However, the process to be 
followed is not specified. Additionally, it has on its cover 
the information that it was published in the preliminary 
form, so still needs a pilot project to be validated. 


Recently, a work on the related topic [12] proposed a 
method for tailoring Product Assurance requirements for 
small satellites, in which the requirements were evaluated 
in blocks, covering the seven disciplines of the Product 
Assurance area, without addressing the requirements 
individually. 


The present work deals with the tailoring of the Quality 
Assurance requirements presented by ECSS to small 
satellite projects, through a process applied to the complete 
set of requirements of the standard ECSS-Q-ST-20C Rev.2 
- Space product assurance - Quality assurance [13]. By 
applying this process, a minimum subset of requirements 
to be used in small satellite projects was obtained, meeting 
the principles of lower cost and shorter schedule, with 
adequate risk for the mission. 


П. STATE-OF-ART 
2.1 Quality Assurance Requirements 


According to ECSS-S-ST-00C Rev.1 - ECSS System 
Description, implementation and general requirements [4], 
the development of a space system is supported by four 
major branches, represented by knowledge areas: Project 
Management, Product Assurance, Engineering and Space 
Sustainability. These areas of knowledge, can be broken 
down into disciplines. Figure 1 shows the disciplines of the 
Product Assurance. 
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Fig. 1: Development of a Spatial System, with emphasis on 
the disciplines of the Product Assurance, extracted from 


[4]. 


According to ECSS-Q-ST-10C Rev. 1, Space product 
assurance - Product assurance [14], Product Assurance 
aims to “ensure that space products meet their defined 
mission objectives, safely, reliably and with desired 
availability”. 

As shown in Figure 1, the Product Assurance 
disciplines are: 


* Product Assurance Management; 

* Quality Assurance; 

* Dependability; 

* Safety; 

* EEE components; 

* Materials, Mechanical Parts and Processes; and 
* Software Product Assurance. 


This work focuses on the analysis of the requirements 
of the Quality Assurance discipline, presented in ECSS-Q- 
ST-20C Rev.2 Space product assurance - Quality 
assurance [13] and the development of a process of 
tailoring of these requirements aimed at to small satellite 
missions. 


The proposed process was developed from the project 
classification, given its complexity and cost, considering 
its exposure to risk related, to the introduced tailoring. The 
process assesses the risk of not using a requirement, using 
the FMEA/FMECA tool, shown in ECSS-Q-ST-30-02C - 
Space product assurance - Failure modes, effects (and 
criticality) analysis (FMEA/FMECA) [15]. 


2.1 Mission Risk Classification 


In the early 200058 [16] in a work entitled The 
Intelligent Application of Quality Management to Smallsat 
Programs published in the 19th Annual AIAA/USU, 


www.ijaers.com 


International Journal of Advanced Engineering Research and Science, 8(5)-2021 


Conference on Small Satellites, the authors pointed out 
that the key to the success of small satellite missions is the 
risk management and the intelligent use of Quality 
Management principles. In this work, the authors 
mentioned that, with the challenge proposed in the 1960’s 
by President Kennedy to NASA, to safely take and bring 
astronauts to the Moon, efforts were made to elaborate 
design, acquisition, production, testing, qualification and 
acceptance processes so that human errors are minimized, 
and failures do not occur. This leads to the understanding 
that the engineering and assurance requirements of the 
mission were defined by what was most innovative at that 
time. 


Subsequently, these authors reminded that, with the 
declining world economy in the following years, a new 
management culture came into action that began to 
promote faster, better and cheaper space products (known 
by the acronym FBC). In this way, the quality system was 
directed into this new policy to meet the increasingly 
restrictive cost/benefit ratio. As a consequence, the result 
in the following decades was the occurrence of disasters, 
including manned missions. 


In this same context, the authors warned that what was 
lacking in the FBC policy was a fourth decision element: 
“doing it intelligently". They state that the risks in small- 
satellite contexts are either technical risks associated with 
not meeting requirements or programmatic risks associated 
with not meeting cost and schedule. Continuing this 
reasoning, the authors propose the use of the 
FMEA/FMECA tool, for the assessment of risks, mainly 
associated with materials and the use of COTS 
components. 


The FMEA/FMECA tool, initially proposed by the 
aerospace industry in the 1960's, was adopted by the 
automotive industry in the following decade. Currently, 
this tool is used in other areas such as medicine, energy 
generation, among others. In the aerospace area, it is an 
important tool for risk analysis, mainly used by the 
Dependability discipline [17]. 


In 2011, Aerospace published the document Mission 
Assurance Guidelines for A-D Mission Risk Classes [18], 
which classifies space missions based on their associated 
risks. This document proposes that the risk of a mission 
could be defined based on economic and technical criteria 
specific to each project and recommends tailoring the 
requirements for the different engineering areas. The 
characteristics taken for the risk classification proposed in 
this Aerospace publication are similar to those proposed by 
the ECSS in its requirements tailoring document, ECSS 
System Tailoring DRAFT 1 [11], previously mentioned. 
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Table 1 shows the characteristics adopted for the 
mission risk classification, based on the Aerospace 
publication [19], in which space projects are divided in 
four classes: A, B, C or D. 


Table.1: Mission Risk Class Profiles [19] 


Character | Class Class Class Class 
istic A B С р 
Risk Mini 
inimu 
Acceptan Low Moderate | Higher 
m 
ce 
Operatio 
nal or Explorat 
Payload Operati | Technolo ory or Experim 
type onal gy Experim ental 
Qualifica ental 
tion 
Cost Highest High Medium | Lowest 


Complei | V 
omp'exi су High | Medium | Low 


ty high 
а 4 уеагѕ < | 1 уеаг< 
Mission МІ>7 ML <1 
1 ML <7 ML «4 
Life (ML) years year 
years years 
National | Ext 
Significan | ty | Critica | I эл 
В х) Critical | Critical 
ce Critical 
Launch V 
Constrain | |^ High | Medium | Low 
high 
ts 
Alt ti ignifi- 
и None Few Some Sig 
es cant 
Mission All PA Few Reduced | Few PA 


Success 


measure | comprom | set of PA | measures 


In this context, the Aerospace Mission Classification 
Guide [18] provides the definition of Mission Assurance 
requirements based on risk analysis. This guide is based on 
the documents Risk Classification for NASA Payloads 
[19] and DOD HDBK34 3- Military handbook: design, 
construction, and testing requirements for one-of-a-kind 
space equipment [20]. The risk profiles presented above 
are associated with technical and quality issues, which can 
impact the success of a mission. Evaluation criteria are 
also proposed resulting in a set of characteristics 
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associated with mission risk, allowing space missions to be 
categorized into four classes. They are: 


* Class A - Extremely critical operating systems, where 
all practical measures must be taken to ensure mission 
success, through a minimal risk profile. These are missions 
with a long-life cycle (typically longer than 7 years), high 
cost and high investment associated with national interest. 
This class includes manned missions; 


* Class B - Critical operating systems, exploratory and 
technical demonstrators, in which only minor adjustments 
are assumed in the application of Mission Assurance 
standards, to balance cost-effectiveness and ensure mission 
success. This is achieved through a low risk profile. These 
are medium lifecycle missions (typically between 4 and 7 
years), high cost and with high to moderate complexity; 


* Class C - Defined as missions of minor national 
importance, exploratory or experimental, with a reduced 
set of Mission Assurance standards applied, resulting in a 
moderate risk profile. These are short lifecycle missions 
(typically between 1 and 4 years), with moderate cost and 
complexity; and 


* Class D - These are missions defined as having low 
national criticality, presenting a higher risk profile. They 
have a very short life cycle (typically less than 1 year), and 
a minimal set of Mission Assurance requirements, with 
low cost and complexity. 


The Aerospace Mission Classification Guide [18] 
schematically illustrates this classification, Figure 2a, 
showing that, while the amount of Mission Assurance 
activities increases from Class D to Class A, the Residual 
Risk to which the project is exposure decreases, and, as a 
consequence, although a class A mission presents greater 
risk exposure, its residual risk is lower. 


Figure 2b, from the same guide [18], shows that the 
greater the investment in Mission Assurance, the greater 
the predictability of the success of the mission, in addition 
to the lower variability of its success. 
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Fig. 2: Adaptation of classification showing Residual Risk 
and Classes A to D, extracted from [18] 


In parallel with NASA/Aerospace activities, ESA 
developed a process to tailor ECSS standards shown in its 
IOD project mentioned before. This project brings together 
the ESA efforts in the construction of CubeSats from 2U to 
6U, in several countries, in universities and associated 
research institutes, and proposes, in the sense of 
standardization, a minimum set of requirements for the 
construction of small satellites [9]. 


Particularly the document Review Objectives for ESA 
In-Orbit Demonstration (IOD) CubeSat Projects [8] 
provides an assessment of the documents required for their 
flight equipment and performs a tailoring of the required 
engineering standards for CubeSats, as well as indicating 
the requirements, applicable or not, in each of them. In this 
document, the indication is that CubeSat projects for in- 
orbit demonstration, in low earth orbit (LEO), are 
generally characterized by the following attributes: 


* Complete autonomous systems, including platform, 
payload, ground segment and operations; 


* Profile of greater risk acceptance; 
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* Low level of complexity (compared to other ESA 
space projects); 


* Low cost (< 1M Euro) and short development 
schedule («2 years for flight readiness); 


* Short operational life (typically «1 year in LEO 
orbit); 
* Single-Point of Failure (SPF) acceptance; 


* Limited redundancy (whenever possible within the 
constraints); 


* Limited fault tolerance (whenever possible within the 
constraints); 


* Robust security mode (thermal and energy robustness 
in any attitude); 


* Extensive use of off-the-shelf commercial elements 
(COTS) - modules that have flight heritage and are 
supplied by small industrial suppliers at a fixed price; 


* Extensive testing focused on the system level 
(functionality and qualification/acceptance environment); 


* Simple project organization with well-integrated 
teams: single entity for systems engineering, AIV 
(Assembly, Integration and Verification), and operations, 
few suppliers or sub-contractors. 


These are characteristics with greater acceptance of 
mission risk and low associated cost. 


Within the same project, the document Product and 
Quality Assurance Requirements for  In-Orbit 
Demonstration CubeSat Project [10] brings Quality 
Assurance and Product Assurance requirements for 
satellites classified in the IOD project. It addresses the 
minimum requirements for quality assurance of a CubeSat. 


Other documents available for this project are: IOD 
CubeSat Deliverable Items List [21] and the IOD CubeSat 
Deliverable Requirements Definition [22]. 


Ш. METHODS 


For the purpose of classifying a space mission, the 
criteria used by Aerospace [18] shown in section 2.2 are 
adopted in this work. Based on these criteria, the small 
satellites addressed in this work are categorized into 
Classes C and D, with their associated risk profiles. 


The document Aerospace Mission Assurance 
Guidelines for A-D Mission Risk Classes [18] addresses 
considerations for each class and discipline in the Product 
Assurance area. These considerations guided the decision- 
making on maintaining, modifying, or eliminating a 
certain requirement during the tailoring process carried out 
for the Quality Assurance discipline, based on the 
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complete the set of requirements of ECSS-Q-ST-20C 
Rev.2 Space product assurance - Quality assurance [13] 


The process adopted is based upon the use of the 
FMEA/FMECA tool [15] to evaluate the possible failures 
resulting from the eventual non-use of each requirement. 
That is, a failure in this process is defined as “a restrictive 
event potentially caused by the absence of the 
requirement”. 


These failures were evaluated in terms of their 
probability of occurrence, the severity of their effects and 
their probability of detection. The objective of this process 
was the assessment of each requirement individually, as 
well as the associated risks and potential effects. 


3.1 Process Development 


The tailoring process was conducted in two weekly 
meetings of approximately 2 hours each, over a period of 
10 months, with the authors experienced in Product 
Assurance for space projects in the National Institute for 
Space Research (INPE). During this period, the specialists 
interacted in online meetings, exposing their perceptions 
about each requirement, pointing out the criteria adopted 
and discussing until common agreement. Further analyses 
of the requirements were performed to prevent a 
requirement from being scored differently from another 
similar requirement. 


3.2 Process 


Among the possible ways to represent processes, the 
Integration Definition for Function Modeling (IDEFO) 
diagram has been chosen, as presented in 1993 by the 
FEDERAL INFORMATION PROCESSING 
STANDARDS PUBLICATION - FIPS in the Integration 
Definition for Function Modeling (IDEFO) [23]. This 
representation defines the function that the process 
performs, the inputs that will be transformed into outputs, 
the controls required to produce a correct output, the 
mechanism by which the inputs are transformed and, 
finally, the outputs with the output data of the process. 


IV. RESULTS AND DISCUSSION 


Figure 5 shows the IDEFO representation of the 
proposed process "Tailoring", showing the input (ECSS 
Space product assurance - Quality assurance [13] the 
control Aerospace Mission Assurance Guidelines for A-D 
Mission Risk Classes [18] and ECSS-S-ST-00-02C ECSS 
System Tailoring DRAFT 1 [11], the mechanism (ECSS 
Space product assurance - Failure modes, effects (and 
criticality) analysis (FMEA/FMECA) [15], and the output 
(“Quality Assurance Requirements for Small Satellite 
Projects"). 
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Figure 5 shows that the input had each of its 
requirements evaluated individually, according to defined 
criteria. At the end of this assessment, the requirement 
received one of three possible qualifications: maintained, 
modified or removed. Those requirements qualified as 
maintained or modified become part of the subset called 
“Quality Assurance Requirements for Small Satellite 
Projects”, shown in Figure 3 as the process output. 


During the evaluation of each requirement, those that 
maintained similarity with the ones from the ESA 
document Product and Quality Assurance Requirements 
for In-Orbit Demonstration CubeSat Project [10], used as a 
reference, were also analyzed. 


AEROSPACE REPORT NO. TOR-2011(8591)-21 
Mission Assurance Guidelines for A-D Mission Risk Classes 


ECSS-S-ST-00-02C-DRAFT1 
ECSS System - Tailoring 


CONTROLS 


ECSS-Q-ST-20C ECSS System 
Space product assurance - 
Quality assurance OUTPUT 
TAILORING 


Small Satellites 
Quality Assurance Requirements 


INPUT 


ECSS-Q-ST-30-02C 
Space product assurance — 
FMEA/FMECA 


MECHANISM 


Fig. 3: IDEFO representation for the tailoring process for 
quality assurance requirements. 


Figure 4 shows the process step-by-step. For each input 
requirement, its related failure (restrictive event potentially 
caused by the absence of the requirement) and probable 
consequences for the project are defined. Thus, the 
characteristics of this failure are defined, that is, are 
highlighted the effects produced in four dimensions of the 
project: safety, product, process and programmatic. 
Subsequently, possible ways of detecting these effects and 
a possible preventive or compensatory provision to 
mitigate them are evaluated. 


Requirement Failure Probability, Severit pma; Criticalit 
Я Effects f ocurrence Y of detection Y 
о 5 р c 


ECSS-Q-ST-30-02C - Safety 
- product 
- process 
- programmatic 


Fig. 4: Obtaining the criticality, or residual risk, 
associated with the failure. 


Table 2 shows an extract of this analysis on each 
requirement. 
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Table.2: Extract from the analysis of effects, detection and provision in each assessed requirement. 


ECSS Quality Assurance ECSS-Q-ST-20C 


Effects 
A — safety 
B — product 
C — process 
D - programmatic 


Detection 
(in effect) 


Provision 
P — preventive 
s 
compensatory 


5.5.9 Specific requirements for assembly and integration 
5.5.9.1 | Control of temporary installations and removals 
a | The supplier shall ensure the control of flight items | A — worker injury А – perception В | C — activities 
which are temporarily removed or non-flight items | B — product damage | — inspection and logbook 
which are temporarily installed to facilitate | C — unfeasible tests С- 
assembly, integration, testing, handling or | activities perception D — 
preservation of the end item. D — increase in cost | schedule and 
and time budget analysis 
The control shall be initiated upon installation or | A - Not Applicable | A - Not 
b removal of the first temporarily installed or | B - Not Applicable | Applicable В - р 
removed item and be maintained through delivery | C - Not Applicable | Not Applicable 
and use of the end item. D - Not Applicable C - Not 
Applicable D- 
Not Applicable 
c | The supplier shall establish and maintain records of | A - worker injury A - Not 
temporary installations and removals. B-product damage | Applicable В - - 
C - unfeasible Not Applicable 
activities C – perception D 
D - increase in cost - schedule and 
and time budget analysis 
Temporarily installed items shall be accounted for | A - Not Applicable | A - Not 
d to prevent their being incorporated in the final B - Not Applicable | Applicable В - И 
flight configuration. C - Not Applicable | Not Applicable 
D - Not Applicable C - Not 
NOTE Temporary installations and removals are Applicable D- 
also called respectively, red tag items and green tag Not Applicable 
items. 
Table.3: Extract of the Quality Assurance requirements assessment matrix. 
(O) (O) (S) (S) (D) (D) (C) (C) 
Class | Class | Class | Class | Class | Class | Class | Class 
ECSS Quality Assurance C D C D C D C D 
ECSS-Q-ST-20C Q-ST-30-02C Q-ST-30-02C Q-ST-30-02C critical 
page 36 Table | page 36 Table | page 36 Table | (О) = 4; 
8.2 8.1 8.3 (D) =4; 
(S) 2 3; 
(C) 2 12 
5.5.9 | Specific requirements for assembly and integration 
5.5.9.1 | Control of temporary installations and removals 
www.ijaers.com Page | 572 
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The supplier shall ensure the control of 
a flight items which are temporarily 
removed or non-flight items which are 
temporarily facilitate 4 
assembly, integration, testing, handling or 
preservation of the end item. 


installed to 


The control shall be initiated upon 
b installation or removal of the first 
temporarily installed or removed item and 1 
be maintained through delivery and use of 
the end item. 


The supplier shall establish and maintain 
c records of temporary installations and 1 
removals. 


Temporarily installed items shall be 
d accounted for to prevent their being 
incorporated in the final flight 

configuration. 1 


NOTE Temporary installations and 
removals are also called respectively, red 
tag items and green tag items. 


Then, the three factors related to the failure are scored, 
based on the ECSS Space product assurance - Failure 
modes, effects (and criticality) analysis (FMEA/FMECA) 
[15]. Initially, the probability of occurrence (O) of the 
failure in the project is evaluated, that is, in the perception 
of the specialists on what is the probability of that failure 
to occur. Then, the severity (S) of the possible 
consequences of the failure occurrence is analyzed and, 
finally, its probability of detection (D). These 3 factors are 
analyzed based on the description of the criteria in ECSS 
standard (ECSS-Q-ST-30-02C [15] Tables 8.1, 8.2 and 
8.3. 


The parameter probability of Occurrence (O) of the 
failure can be graded from 1 (very unlikely), 2 (unlikely), 
3 (likely) or 4 (very likely). 


The parameter Severity (S) of the failure is associated 
with the effects of the possible failure in four dimensions: 
safety, product, process and programmatic. In this case, the 
standard ECSS-Q-ST-30-02C [15] recommends the 
adoption of four values, from 1 to 4, being 1 for minor 
losses and 4 for damages of greater impact. 


The parameter Detectability (D) of the failure is 
associated with the probability that the effects of the 
failure will be detected, and considers four values, from 1 
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to 4, being 1 (very likely), 2 (likely), 3 (unlikely) and 4 
(very unlikely). 


With these three parameters (O, S and D) in hand, the 
value of the Criticality (C) of the failure, also known as 
Residual Risk (RR) is defined as their product, that is: C = 
OxSxD 


Finally, the ECSS-Q-ST-30-02C [15] provides the 
steps to identify the critical processes (requirements), that 
for this study means “a requirement that cannot be 
eliminated". In other words, the *C" metric will be used to 
identify requirements that must be maintained (or 
eventually modified), in opposition to those that can be 
eliminated. 


Thus, a requirement will be considered critical if the 
score associated with its potential failure is: 


e Occurrence A = 4, or 

. Severity S > 3, or 

. Detectability D = 4, or 

. Criticality (Residual Risk) C > 12 


The applied process is shown in Table 3, which shows 
a clipping of the ECSS requirements assessment matrix, 
for the Quality Assurance discipline [13], object of this 
study. 
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In this matrix, the requirements of the ECSS standard 
[13] are allocated on the left, that in this example are the 
requirements belonging to section 5.5.9.1 — Control of 
Temporary Installation. In this section four requirement 
are allocated, respectively 5.5.9.1a to 5.5.9.1d, which were 
evaluated with the proposed process. 


The effects of the failure in the safety, product, process 
and programmatic dimensions; the means of detecting 
these effects; and eventual preventive or compensatory 
provisions to minimize them; were evaluated. These 
evaluations served as a benchmark for the analysis of the 
parameters of Probability of Occurrence (O), Severity (S), 
Detectability (D) and Criticality (C). Table 2 shows pairs 
of columns associated with these parameters, respectively 
for satellites classes C and D [18]. 


Taking the requirements of family 5.5.9.1 as example, 
it can be seen in Table 2 that the parameter (O) for 
requirement 5.5.9.1a was considered to have a high 
probability of occurrence for class C satellites, grade 4 
(very likely), while for Class D it received grade 3 
(probable). The failures referring to the other requirements 
of this same family, 5.5.9.1b to 5.5.9.1d, received grade 1, 
with a very low probability of occurrence for both classes 
of satellites. The Severity parameter (S) received grades 4 
and 3 for classes C and D, while the Detectability 
parameter (D) received 3 for both classes. With these three 
parameters (O, S and D) for requirement 5.5.9.1a, the 
Criticality (C) value of the potential failure was obtained 
as 48 for Class C and 27 for Class D. 


According to the criteria for inclusion or exclusion of 
requirements described above, the potential failure 
regarding requirement 5.5.9.1a was considered critical, 
therefore the requirement must be maintained for both 
classes of satellites. However, requirements 5.5.9.1b and 
5.5.9.1d did not have their potential failures considered 
critical, and therefore were excluded from the set of 
requirements for both classes. Moreover, the potential 
failure referring to requirement 5.5.9.1c received a grade 3 
in severity for class C (critical) and 2 for class D (non- 
critical), and thus the requirement was maintained for class 
C and eliminated for the class D. 


Following this analysis process, all 193 requirements 
present in the standard ECSS Space product assurance - 
Quality assurance [13] were evaluated, and the resulted 
requirements (maintained or modified) are shown in Table 
4. 
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Table.4: Results from the tailoring process. 


Document Requirements 
Qty % 

ESA - | ECSS-Q-ST-20C [8] 193 100 
ECSS 
standard 
ESA -|PA and QA for IOD | 125 65 
IOD CubeSat [5] 
project 

Tailored ECSS-Q-ST-20C | 145 75 
This work for Class C 

Tailored ECSS-Q-ST-20C | 102 53 

for Class D 


It is observed that the proposed tailoring process 
resulted in a reduction in the amount of requirements to be 
used in projects with low responsibility. This reduction 
was on the order of 50% of the requirements originally 
present in the ECSS-Q-ST-20C [13] In comparison to the 
number of requirements presented in the document Product 
and Quality Assurance Requirements for In-Orbit 
Demonstration CubeSat Project [10] it is observed that 
there is also a reduction of the same order of magnitude in 
the amount of requirements. In spite of the arrangement 
requirements in IOD Project does not follow the same text 
and arrangement as provided for in the ECSS-Q-ST-20C 
[13], a direct comparison between their results is possible 
but limited, Figure 5. 
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Fig. 5: Comparison between author results, OID Project 
and ECSS-Q-ST-20C requirements. 


However, even though the method used is based on risk 
analysis and counting on experts with experience in 
Product Assurance in INPE satellites, notably in the 
CBERS and AMAZONIA! satellites, the results still lack 
validation in a small satellite project. 
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The complete results of the application of this 
methodology are available in the Appendix A to this work 
and an extract can be seen in Table 5. 


Table.4: Extract of the final result. 


ECSS-Q-ST-20C Rev. Class C Class D 
5.1 QA managment requirements 
5.1.1 Quality assurance plan 

a X 

b X 
5.1.2 Personal training and certification 

a X 

b X 

c x 

d 
5.2 QA general requirements 
5.2.1 Critical items control 

a x x 
5.2.2 Nonconformance control system 

a x x 
5.2.3 Managements of alerts 

a x x 
5.2.4 Acceptance authority media 

a 

b X 

c x 

d X 

e X 

f X 
9.2.9 Traceability 

a x 

b X 

c x 

d X 

e X 


V. CONCLUSION 


In the proposed process, the Quality Assurance 
requirements presented in the standard ECSS-Q-ST-20C 
[13] could be individually evaluated by specialists from 
the perspective of a risk analysis based on the FMECA 
tool. In this process, the potential failures associated with 
the requirements received grades that, when combined, 
became reference for choosing the requirements to be 
maintained, modified or eliminated for use in projects of 
low responsibility satellites. This process and its resulting 
set of requirements must be validated in a satellite project 
that meets these characteristics. 
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Requirements from ECSS Quality Assurance 
(ECSS-Q-ST-20C [2020]) 


5.1 QA management Class 
- Class D 
5.1.1 | Quality assurance plan C 
a X X 
b X х 
5.1.2 | Personnel training and 
a X X 
b X X 
c x X 
d 
5.2 QA general requirements 
5.2.1 |Critical-items control 
a X X 
5.2.2 | Nonconformance control 
a X X 
5.2.3 | Management of alerts 
a X X 
5.2.4 | Acceptance authority media 
a X X 
b X X 
c x 
d X 
e X 
f X 
5.2.5 | Traceability 
a X X 
b X X 
c x 
d X 
e X 
5.2.6 | Metrology and Calibration 
a X X 
b X X 
c x 
d X 
e X 
f X X 
g X 
h X 
i X 
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j x 
k X 
Ї X 
m X X 
n X X 
o x 
p X 
q X 
5.2.7 |5.2.7 Handling, storage, 
5.2.7. | Handling, storage and 
a X X 
5.2.7. | Storage (deleted) 
5.2.7. | Preservation 
a X X 
5.2.8 | Statistical quality control and 
5.2.8. | General 
a 
b 
c 
d 
e 
f 
5.2.8. | Sampling plans 
a 
b 
5.3 QA requirements for design 
5.3.1 |Design rules 
5.3.1. | Producibility 
a X X 
5.3.1. | Repeatability 
a X X 
5.3.1. | Inspectability and testability 
a X X 
5.3.1. | Operability 
a X X 
5.3.2 | Verification 
5.3.2. 
a X 
b X 
c x 
d X 
e X 
5.3.2. | Design verification analysis 
a X X 
b X X 
5.3.2. | Design reviews 
a X X 
5.3.2. | Qualification process 
5.3.2. | Qualification 
a X X 
b X 
c x 
d 
e x 
5.3.2. | Qualification by similarity 
a x X 
b X 
c x 
d X 
5.3.2. | Qualification testing 
a X 
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b х х 5.5.3. | Statistical process control 
5.3.2. | Qualification status a 
a 5.5.4 | Workmanship standards 
5.3.2. | Maintenance of qualification a X X 
a X b х 
b X X € X 
c X X Э:5.5 
5.3.2. | Design changes a X X 
a X X b X X 
5.4 QA requirements for € X 
5.4.1 | Selection of procurement 5.5.6 | Equipment control 
5.4.1. | General 5.5.6. | Tooling 
a X a 
5.4.1. | Selection criteria b X X 
a X X € 
b X X d 
5.4.1. | Record and list of e 
a X X f 
b X X g 
5.4.2 | Procurement documents h X X 
a X X i 
b х х 5.5.6. | Equipment for computer- 
c X X a X X 
d b X 
5.4.3 | Surveillance of procurement 5.5.7 |Cleanliness and 
a X X 5.5.7. | General 
b X X a X X 
c X X 5.5.7. | Cleanliness levels 
d X X a X X 
e X х b X X 
5.4.4 | Receiving inspection 5.5.7. | Cleaning materials and 
5.4.4. | General a X X 
a X х 5.5.7. | Contamination control 
b X X a X 
c X X b X 
5.4.4. | Receiving inspection c х X 
a X X 5.5.7. | Cleanliness of facilities 
5.4.4. | Customer furnished items a X X 
a х х 5.5.8 | Inspection 
5.4.4. | Receiving inspection records a X X 
a X х b X X 
5.5 QA requirements for c х х 
5.5.1 | Planning of manufacturing, d X X 
a X X e X X 
b f X X 
c В 
а х х h 
e X X i X 
f j 
g k 
5.5.2 | Manufacturing readiness 5.5.9 | Specific requirements for assembly and integration 
a X X 5.5.9. | Control of temporary installations and removals 
b X X a X X 
5.5.3 | Control of processes 
5.5.3. | General c X 
a d 
b X X 
c х х 5.5.9. | Logbooks 
d X X a X X 
5.5.3. | Special processes b 
a X X c 
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e 


Manufacturing, assembly 


a 


Electrostatic discharge 


a 


b 


QA requirements for testing 


Test facilities 


a 


Test equipment 


a 


b 


с 


Test documentation 


Test procedures 


a 


b 


Test reports 


a 


b 


Test performance monitoring 


» 
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Test reviews 


a 


b 


QA requirements for 


Acceptance and delivery 


a 


b 


End item data package 


a 


b 


(9 


Acceptance review board 


FID 18410 |с | 


£ 
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Preparation for delivery 


Packaging 


a 


Marking and labelling 


a 


Delivery 


Shipping control 


a 


b 


Transportation 


a 
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